1. Field of the Invention
The invention relates to a machine-implemented method for determining whether a to-be-analyzed software is a known malware, more particularly to a machine-implemented method for determining whether a to-be-analyzed software is a known malware or a variant of the known malware.
2. Description of the Related Art
With the convenience of the Internet also come safety threats posed by malicious software and programs (collectively referred to as malware).
A botnet is an autonomous network of compromised zombie computers running software agents, commonly referred to as robots or bots, under the control of an attacker. Botnets are generally for nefarious purposes, such as sending spam messages and conducting information theft. These attacks might lead to crippling of the Internet or even financial losses. Therefore, preventive measures such as botnet detection and removal are constantly under study and research in the relevant field.
Conventionally, there are two approaches to detecting botnets, namely a static analysis approach and a dynamic analysis approach. In the static analysis approach, a to-be-analyzed binary (or code) is analyzed to determine if there are suspicious instruction sequences or if there are well-known signatures of known botnets. The static analysis approach does not consider what happens after the to-be-analyzed binary is executed, and does not produce accurate results if the to-be-analyzed binary is a botnet agent binary that has undergone obfuscation (e.g., that has been encrypted or compressed). On the other hand, the dynamic analysis approach executes the to-be-analyzed binary and monitors the runtime behavior (e.g., calling of application program interface (API), modifying system registry) of the to-be-analyzed binary in order to determine if it resembles a known botnet. However, the conventional dynamic analysis approach is rough and does not generate highly accurate results.